1996-02-01 - Re: Visa & MC Std

Header Data

From: olbon@dynetics.com (Clay Olbon II)
To: cypherpunks@toad.com
Message Hash: e84f5b05c128c3994fefb15852f748e11633e39506edef2c4184dcbe1ab87385
Message ID: <v01540b09ad367ceb54a3@[193.239.225.200]>
Reply To: N/A
UTC Datetime: 1996-02-01 15:12:51 UTC
Raw Date: Thu, 1 Feb 1996 23:12:51 +0800

Raw message

From: olbon@dynetics.com (Clay Olbon II)
Date: Thu, 1 Feb 1996 23:12:51 +0800
To: cypherpunks@toad.com
Subject: Re: Visa & MC Std
Message-ID: <v01540b09ad367ceb54a3@[193.239.225.200]>
MIME-Version: 1.0
Content-Type: text/plain


At 8:25 AM 2/1/96, pj ponder wrote (much elided):

>AN FRANCISCO -- Hoping to remove a major impediment to credit card
>transactions over the Internet, a business group led by Mastercard
>International
>and Visa International plans to announce an industry-standard technology
>Thursday for protecting the security of electronic payments.
...
>
>The software standard, called Secure Electronic Transactions, or SET,
>will permit a user to send a credit card account numbers to a merchant
>in a scrambled
>form.
>
>The scrambled number is supposed to be unintelligible to electronic
>eavesdroppers and thieves -- and even to the merchants receiving the
>payment.
>
>But a special code is supposed to enable the merchant to check
>electronically and automatically with the bank that issued the credit
>card to make sure that it is a
>valid card number and that the customer is the authorized user of the
>card. The number-scrambling part of the system is based on a well-known
>and widely used
>national software standard known as the Data Encryption Standard.

----------------

A few psueudorandom points regarding this post:

        First, it seems silly to implement a separate standard that only
works for the credit card number.  What about the privacy of the rest of
the info (what I am ordering, how much, etc.).

        Can (or will) this be layered with Netscape's SSL?

        How is this to be implemented?  It sounds like the merchants will
just pass the encrypted number to the credit card company.  If this is the
case, key management could become an issue.  I suppose this could easily be
implemented using public key crypto, but only DES was mentioned.  If only
DES is used and everyone uses the same DES key, that would be a valuable
key to break!

        How about a MITM attack.  Get the encrypted credit card #, and
change the purchase amount, delivery info, etc if that is not encrypted.

If there is anyone on the list with more info on this, I would love to hear
it (heopfully we will hear something from Netscape, since they are quoted
in the article).  From what I know so far, it seems like a poor compromise.



---------------------------------------------------------------------------
Clay Olbon II            | olbon@dynetics.com
Systems Engineer         | ph: (810) 589-9930 fax 9934
Dynetics, Inc., Ste 302  | http://www.msen.com/~olbon/olbon.html
550 Stephenson Hwy       | PGP262 public key: finger olbon@mgr.dynetics.com
Troy, MI 48083-1109      | pgp print: B97397AD50233C77523FD058BD1BB7C0
    "To escape the evil curse, you must quote a bible verse; thou
     shalt not ... Doooh" - Homer (Simpson, not the other one)
---------------------------------------------------------------------------







Thread